rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

policycoreutils-2.8-12 

- sepolicy,semanage: replace aliases with corresponding type names
- sepolicy-generate: Handle more reserved port types
This commit is contained in:
Petr Lautrbach 2018-11-12 22:02:22 +01:00
parent d0a54fbf96
commit 3183fc4035
4 changed files with 126 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
policycoreutils.spec
View File

@ -1,7 +1,7 @@
%global libauditver 2.1.3-4
%global libsepolver 2.8-1
%global libsemanagever 2.8-4
%global libselinuxver 2.8-4
%global libsepolver 2.8-3
%global libsemanagever 2.8-6
%global libselinuxver 2.8-5
%global sepolgenver 2.8
%global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -12,7 +12,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.8
Release: 11%{?dist}
Release: 12%{?dist}
License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz
@ -531,6 +531,11 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Mon Nov 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12
- sepolicy,semanage: replace aliases with corresponding type names
- sepolicy-generate: Handle more reserved port types
- Fix RESOURCE_LEAK coverity scan defects
* Tue Oct 16 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-11
- sepolicy: Fix get_real_type_name to handle query failure properly
- sepolicy: search() for dontaudit rules as well

12
restorecond-fedora.patch
View File

@ -0,0 +1,12 @@
diff --git restorecond-2.8/restorecond.c restorecond-2.8/restorecond.c
index 6fbbd35..e1d26cb 100644
--- restorecond-2.8/restorecond.c
+++ restorecond-2.8/restorecond.c
@@ -105,6 +105,7 @@ static int write_pid_file(void)
}
if (write(pidfd, val, (unsigned int)len) != len) {
syslog(LOG_ERR, "Unable to write to pidfile (%s)", strerror(errno));
+ close(pidfd);
return 1;
}
close(pidfd);

160
selinux-python-fedora.patch
View File

@ -262,7 +262,7 @@ index 0bdb90f..0cdcfcc 100644
user identities to authorized role sets. In most cases, only the
former mapping needs to be adjusted by the administrator; the latter
diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py
index c76dce8..26f3376 100644
index c76dce8..972d5af 100644
--- selinux-python-2.8/semanage/seobject.py
+++ selinux-python-2.8/semanage/seobject.py
@@ -30,7 +30,7 @@ import sys
@ -349,79 +349,78 @@ index c76dce8..26f3376 100644
raise error
def get_all_logins(self):
@@ -1087,7 +1081,7 @@ class portRecords(semanageRecords):
@@ -1087,6 +1081,8 @@ class portRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
- if type not in self.valid_types:
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
+ type = sepolicy.get_real_type_name(type)
+
if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % type)
(k, proto_d, low, high) = self.__genkey(port, proto)
@@ -1151,7 +1145,7 @@ class portRecords(semanageRecords):
@@ -1151,6 +1147,7 @@ class portRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
+ setype = sepolicy.get_real_type_name(setype)
if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % setype)
(k, proto_d, low, high) = self.__genkey(port, proto)
@@ -1355,7 +1349,7 @@ class ibpkeyRecords(semanageRecords):
@@ -1355,6 +1352,8 @@ class ibpkeyRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
- if type not in self.valid_types:
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
+ type = sepolicy.get_real_type_name(type)
+
if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
@@ -1417,7 +1411,7 @@ class ibpkeyRecords(semanageRecords):
@@ -1417,6 +1416,8 @@ class ibpkeyRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
+ setype = sepolicy.get_real_type_name(setype)
+
if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
@@ -1603,7 +1597,7 @@ class ibendportRecords(semanageRecords):
@@ -1603,6 +1604,8 @@ class ibendportRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
- if type not in self.valid_types:
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
+ type = sepolicy.get_real_type_name(type)
+
if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
@@ -1664,7 +1658,7 @@ class ibendportRecords(semanageRecords):
@@ -1664,6 +1667,8 @@ class ibendportRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
+ setype = sepolicy.get_real_type_name(setype)
+
if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
(k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name)
@@ -1853,7 +1847,7 @@ class nodeRecords(semanageRecords):
@@ -1853,6 +1858,8 @@ class nodeRecords(semanageRecords):
if ctype == "":
raise ValueError(_("SELinux node type is required"))
- if ctype not in self.valid_types:
+ if sepolicy.get_real_type_name(ctype) not in self.valid_types:
+ ctype = sepolicy.get_real_type_name(ctype)
+
if ctype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
@@ -1922,7 +1916,7 @@ class nodeRecords(semanageRecords):
@@ -1922,6 +1929,8 @@ class nodeRecords(semanageRecords):
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
+ setype = sepolicy.get_real_type_name(setype)
+
if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % setype)
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
@@ -2241,7 +2235,6 @@ class fcontextRecords(semanageRecords):
@@ -2241,7 +2250,6 @@ class fcontextRecords(semanageRecords):
try:
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
@ -429,24 +428,32 @@ index c76dce8..26f3376 100644
except RuntimeError:
valid_types = []
@@ -2369,7 +2362,7 @@ class fcontextRecords(semanageRecords):
@@ -2369,8 +2377,10 @@ class fcontextRecords(semanageRecords):
if type == "":
raise ValueError(_("SELinux Type is required"))
- if type not in self.valid_types:
+ if type != "<<none>>" and sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
- raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
+ if type != "<<none>>":
+ type = sepolicy.get_real_type_name(type)
+ if type not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -2432,7 +2425,7 @@ class fcontextRecords(semanageRecords):
if rc < 0:
@@ -2432,8 +2442,10 @@ class fcontextRecords(semanageRecords):
def __modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))
- if setype and setype not in self.valid_types:
+ if setype not in ["", "<<none>>"] and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
- raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
+ if setype not in ["", "<<none>>"]:
+ setype = sepolicy.get_real_type_name(setype)
+ if setype not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
self.validate(target)
diff --git selinux-python-2.8/sepolgen/src/sepolgen/access.py selinux-python-2.8/sepolgen/src/sepolgen/access.py
index a5d8698..ba80f93 100644
--- selinux-python-2.8/sepolgen/src/sepolgen/access.py
@ -1491,7 +1498,7 @@ index 16e6680..64c48df 100644
def test_init(self):
a = refpolicy.TypeRule()
diff --git selinux-python-2.8/sepolicy/sepolicy.py selinux-python-2.8/sepolicy/sepolicy.py
index 141f64e..6287502 100755
index 141f64e..5880176 100755
--- selinux-python-2.8/sepolicy/sepolicy.py
+++ selinux-python-2.8/sepolicy/sepolicy.py
@@ -27,7 +27,7 @@ import selinux
@ -1512,35 +1519,37 @@ index 141f64e..6287502 100755
if isinstance(values, str):
setattr(namespace, self.dest, values)
else:
@@ -103,7 +101,7 @@ class CheckDomain(argparse.Action):
@@ -103,6 +101,7 @@ class CheckDomain(argparse.Action):
domains = sepolicy.get_all_domains()
if isinstance(values, str):
- if values not in domains:
+ if sepolicy.get_real_type_name(values) not in domains:
+ values = sepolicy.get_real_type_name(values)
if values not in domains:
raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
setattr(namespace, self.dest, values)
else:
@@ -112,7 +110,7 @@ class CheckDomain(argparse.Action):
@@ -112,6 +111,7 @@ class CheckDomain(argparse.Action):
newval = []
for v in values:
- if v not in domains:
+ if sepolicy.get_real_type_name(v) not in domains:
+ v = sepolicy.get_real_type_name(v)
if v not in domains:
raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
newval.append(v)
setattr(namespace, self.dest, newval)
@@ -167,7 +165,7 @@ class CheckPortType(argparse.Action):
@@ -167,10 +167,11 @@ class CheckPortType(argparse.Action):
if not newval:
newval = []
for v in values:
- if v not in port_types:
+ if sepolicy.get_real_type_name(v) not in port_types:
+ v = sepolicy.get_real_type_name(v)
if v not in port_types:
raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
newval.append(v)
setattr(namespace, self.dest, values)
- setattr(namespace, self.dest, values)
+ setattr(namespace, self.dest, newval)
class LoadPolicy(argparse.Action):
diff --git selinux-python-2.8/sepolicy/sepolicy/__init__.py selinux-python-2.8/sepolicy/sepolicy/__init__.py
index 89346ab..c4f03f4 100644
index 89346ab..d1f4bf5 100644
--- selinux-python-2.8/sepolicy/sepolicy/__init__.py
+++ selinux-python-2.8/sepolicy/sepolicy/__init__.py
@@ -15,7 +15,7 @@ import os
@ -1562,7 +1571,7 @@ index 89346ab..c4f03f4 100644
+ results = list(q.results())
+
+ if name and len(results) < 1:
+ #type not found, try alias
+ # type not found, try alias
+ q.name = None
+ q.alias = name
+ results = list(q.results())
@ -1634,31 +1643,37 @@ index 89346ab..c4f03f4 100644
if len(tertypes) > 0:
q = setools.TERuleQuery(_pol,
@@ -437,6 +449,14 @@ def get_file_types(setype):
@@ -437,6 +449,20 @@ def get_file_types(setype):
return mpaths
+# determine if entered type is an alias
+# and return corresponding type name
+def get_real_type_name(name):
+ """Return the real name of a type
+
+ * If 'name' refers to a type alias, return the corresponding type name.
+ * Otherwise return the original name (even if the type does not exist).
+ """
+ if not name:
+ return name
+
+ try:
+ return next(info(TYPE, name))["name"]
+ except (RuntimeError, StopIteration):
+ return None
+ return name
+
def get_writable_files(setype):
file_types = get_all_file_types()
all_writes = []
@@ -1051,7 +1071,7 @@ def gen_short_name(setype):
@@ -1048,6 +1074,8 @@ def _dict_has_perms(dict, perms):
def gen_short_name(setype):
all_domains = get_all_domains()
if setype.endswith("_t"):
+ # replace aliases with corresponding types
+ setype = get_real_type_name(setype)
domainname = setype[:-2]
else:
domainname = setype
- if domainname + "_t" not in all_domains:
+ if get_real_type_name(domainname + "_t") not in all_domains:
raise ValueError("domain %s_t does not exist" % domainname)
if domainname[-1] == 'd':
short_name = domainname[:-1] + "_"
@@ -1160,27 +1180,14 @@ def boolean_desc(boolean):
@@ -1160,27 +1188,14 @@ def boolean_desc(boolean):
def get_os_version():
@ -1693,7 +1708,7 @@ index 89346ab..c4f03f4 100644
def reinit():
diff --git selinux-python-2.8/sepolicy/sepolicy/generate.py selinux-python-2.8/sepolicy/sepolicy/generate.py
index f814e27..efab71e 100644
index f814e27..8e53033 100644
--- selinux-python-2.8/sepolicy/sepolicy/generate.py
+++ selinux-python-2.8/sepolicy/sepolicy/generate.py
@@ -52,7 +52,7 @@ import sepolgen.defaults as defaults
@ -1705,6 +1720,17 @@ index f814e27..efab71e 100644
try:
import gettext
kwargs = {}
@@ -103,7 +103,9 @@ def get_all_ports():
for p in sepolicy.info(sepolicy.PORT):
if p['type'] == "reserved_port_t" or \
p['type'] == "port_t" or \
- p['type'] == "hi_reserved_port_t":
+ p['type'] == "hi_reserved_port_t" or \
+ p['type'] == "ephemeral_port_t" or \
+ p['type'] == "unreserved_port_t":
continue
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict
diff --git selinux-python-2.8/sepolicy/sepolicy/gui.py selinux-python-2.8/sepolicy/sepolicy/gui.py
index 537d516..63aa02c 100644
--- selinux-python-2.8/sepolicy/sepolicy/gui.py

12
semodule-utils-fedora.patch
View File

@ -0,0 +1,12 @@
diff --git semodule-utils-2.8/semodule_package/semodule_package.c semodule-utils-2.8/semodule_package/semodule_package.c
index 3515234..7b75b3f 100644
--- semodule-utils-2.8/semodule_package/semodule_package.c
+++ semodule-utils-2.8/semodule_package/semodule_package.c
@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
}
if (!sb.st_size) {
*len = 0;
+ close(fd);
return 0;
}